can't see non-root writes to /dev/console
Carlos A. M. dos Santos
unixmania at gmail.com
Mon Oct 13 14:23:04 PDT 2008
On Mon, Oct 13, 2008 at 6:05 PM, Edwin Groothuis <edwin at mavetju.org> wrote:
> On Sun, Oct 12, 2008 at 10:23:53PM -0700, Jeremy Chadwick wrote:
>> > The ioctl call fails (EPERM) because only superuser can use TIOCCONS,
>> > regardless the ownership of the device. Using xterm with the "-C"
>> > argument works because xterm is installed with the setuid flag bit on.
>> > So the solution is "chmod +us xconsole".
>>
>> Can someone security audit this program before blindly setuid-root'ing
>> it?
>
> Isn't xconsole not just the same values as /var/log/messages ?
>
> So information-leaking-wise it isn't a huge deal. Only the program
> itself is now the unknown.
>
> Edwin
> --
> Edwin Groothuis Website: http://www.mavetju.org/
> edwin at mavetju.org Weblog: http://www.mavetju.org/weblog/
The OpenBSD folks solved the permission issue along time ago(*) by
means of a privilege separation feature. Take a look at
http://www.openbsd.org/cgi-bin/cvsweb/xenocara/app/xconsole/
I will see if is possible to update the xconsole port in order to do
the same. Is there any standard privilege separation framework on
FreeBSD?
(*) http://openbsd.monkey.org/tech/200302/msg00064.html
--
cd /usr/ports/sysutils/life
make clean
More information about the freebsd-stable
mailing list